Deer Wms 2
Monthly
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/role/list endpoint. The vulnerability has a critically low CVSS score of 2.1 due to limited scope and integrity impact, but exploitation is confirmed possible with publicly available proof-of-concept code. Real-world risk is minimal given the requirement for prior authentication and constrained data access impact.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/dept/list endpoint. Despite a critical classification in the initial report, the CVSS 4.0 vector assigns a 2.1 score reflecting low impact across confidentiality, integrity, and availability. Publicly available exploit code exists; however, EPSS scoring at 0.07% (22nd percentile) suggests minimal real-world exploitation likelihood compared to the authorization requirement and limited information disclosure scope.
SQL injection in Deer WMS 2 versions up to 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/role/export endpoint, leading to limited information disclosure. The vulnerability carries a CVSS score of 2.1 despite being classified critical in the original report, reflecting the CVSS v4.0 assessment of low confidentiality, integrity, and availability impact combined with required authentication. Publicly available exploit code exists, but real-world exploitation risk remains minimal due to the low EPSS score (0.07%, 22nd percentile) and authentication requirement.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to manipulate the dataScope parameter in the /system/user/list endpoint, leading to arbitrary SQL query execution with limited information disclosure impact. The CVSS v4.0 score of 2.1 reflects low severity due to required authentication and constrained impact (confidentiality, integrity, and availability all rated low), though publicly available exploit code exists and the vulnerability has been disclosed.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the dataScope parameter in the /system/user/export endpoint, potentially compromising data confidentiality. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited scope, but publicly available exploit code exists and the attack surface is network-accessible.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to manipulate the dataScope parameter in the /system/role/authUser/allocatedList endpoint, leading to limited information disclosure. The vulnerability requires valid user credentials and carries a low CVSS base score of 2.1 despite critical severity rating, with publicly available exploit code disclosed via Gitee issue tracker. EPSS exploitation probability is extremely low at 0.07%, indicating this is unlikely to be a widespread attack vector despite public POC availability.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] argument in the /system/role/authUser/unallocatedList endpoint. The vulnerability requires valid user credentials but has low overall impact (CVSS 2.1) and affects only data confidentiality and integrity with no system availability impact. Publicly available exploit code exists, though EPSS score (0.07%, 22nd percentile) indicates exploitation remains uncommon in practice despite public disclosure.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ancestors parameter in the /system/dept/edit endpoint, enabling unauthorized data exfiltration or modification. Despite a critical classification, the CVSS v4.0 score of 2.1 reflects limited confidentiality and integrity impact; publicly available exploit code exists but EPSS exploitation probability remains low at 0.07%, suggesting the vulnerability requires authenticated access and may have limited real-world adoption or attack surface.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/role/list endpoint. The vulnerability has a critically low CVSS score of 2.1 due to limited scope and integrity impact, but exploitation is confirmed possible with publicly available proof-of-concept code. Real-world risk is minimal given the requirement for prior authentication and constrained data access impact.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/dept/list endpoint. Despite a critical classification in the initial report, the CVSS 4.0 vector assigns a 2.1 score reflecting low impact across confidentiality, integrity, and availability. Publicly available exploit code exists; however, EPSS scoring at 0.07% (22nd percentile) suggests minimal real-world exploitation likelihood compared to the authorization requirement and limited information disclosure scope.
SQL injection in Deer WMS 2 versions up to 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] parameter in the /system/role/export endpoint, leading to limited information disclosure. The vulnerability carries a CVSS score of 2.1 despite being classified critical in the original report, reflecting the CVSS v4.0 assessment of low confidentiality, integrity, and availability impact combined with required authentication. Publicly available exploit code exists, but real-world exploitation risk remains minimal due to the low EPSS score (0.07%, 22nd percentile) and authentication requirement.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to manipulate the dataScope parameter in the /system/user/list endpoint, leading to arbitrary SQL query execution with limited information disclosure impact. The CVSS v4.0 score of 2.1 reflects low severity due to required authentication and constrained impact (confidentiality, integrity, and availability all rated low), though publicly available exploit code exists and the vulnerability has been disclosed.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the dataScope parameter in the /system/user/export endpoint, potentially compromising data confidentiality. The vulnerability has a low CVSS score (2.1) due to authentication requirements and limited scope, but publicly available exploit code exists and the attack surface is network-accessible.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to manipulate the dataScope parameter in the /system/role/authUser/allocatedList endpoint, leading to limited information disclosure. The vulnerability requires valid user credentials and carries a low CVSS base score of 2.1 despite critical severity rating, with publicly available exploit code disclosed via Gitee issue tracker. EPSS exploitation probability is extremely low at 0.07%, indicating this is unlikely to be a widespread attack vector despite public POC availability.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the params[dataScope] argument in the /system/role/authUser/unallocatedList endpoint. The vulnerability requires valid user credentials but has low overall impact (CVSS 2.1) and affects only data confidentiality and integrity with no system availability impact. Publicly available exploit code exists, though EPSS score (0.07%, 22nd percentile) indicates exploitation remains uncommon in practice despite public disclosure.
SQL injection in Deer WMS 2 up to version 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ancestors parameter in the /system/dept/edit endpoint, enabling unauthorized data exfiltration or modification. Despite a critical classification, the CVSS v4.0 score of 2.1 reflects limited confidentiality and integrity impact; publicly available exploit code exists but EPSS exploitation probability remains low at 0.07%, suggesting the vulnerability requires authenticated access and may have limited real-world adoption or attack surface.